The Department of Homeland Security’s effort to get its hands on information about the road travels of all Americans is back. In a Privacy Impact Assessment (PIA) issued yesterday about a plan for using license plate reader data, Immigration and Customs Enforcement describes a plan to “procure the services of a commercial vendor of LPR information.” The agency pays lip service to public concerns about license plate readers and offers some improvements to the government’s current more or less unrestrained use of location tracking technology. It does not, however, remedy the fundamental civil liberties problems with such a project.

About a year ago, DHS cancelled its plan to purchase access to a nationwide automatic license plate reader database after its revelation triggered an outcry. The scope of what the government expected from this database had shocked the public and legislators: over two billion location data points, growing at a rate of 70 million scans per month, that were shared with and received from law enforcement agencies and private contractors across the country (although ICE field offices had paid the company Vigilant Video for location information for years and continue to do so).

It’s appropriate to use license plate scanners to check for wanted vehicles, but the technology should never be used to store up databases of the movements of vehicles that are not on any hot lists. Unfortunately, it’s just this kind of mass surveillance of movement that ICE’s proposal relies upon and encourages. The privacy assessment says that such data would be “useful” to ICE. No doubt that will occasionally be the case, as it would be with any surveillance technology used to record the activities of private citizens en masse—but it violates the longstanding tenet that the government not monitor citizens unless it has individualized suspicion of involvement in wrongdoing.

The bottom line is that DHS is incentivizing the growth of an industry whose business model is monitoring the location and movements of Americans en masse and selling it to the government. Whether by government or its contractors, such mass monitoring should not be done in the first place, and should not be encouraged by the government, and its results should not end up in the hands of the government.

If DHS pays a private company to collect data for it (turning that company into an agent of the government), the private company should be bound by the same policies, principles and law that the government would have to follow, if it were to do the work itself. The PIA makes it clear that this is not the case.

While the PIA describes how DHS will access data in a commercial database and transfer the data to its own database, the document does not address the many important decisions that the company makes about collection, accountability, retention, or others. For example, DHS may have a policy and protections against racial profiling (which we think are incomplete), but the PIA doesn’t suggest that Vigilant Video (the most likely company to receive this type of contract) will need one. It would be unconstitutional for an ICE agent to target a location for ALPR surveillance based on race or ethnicity, but the policies outlined in the PIA would not stop its contracted company from doing the same thing. Similarly, ICE may have policies against enforcement around sensitive locations like schools, but the PIA does not stop the contracted company from targeting those same areas for collection.

More notes from the Privacy Impact Assessment:

We object to ICE buying access to license plate reader data to further target immigration enforcement priorities that are not public safety or national security risks. There are many, many people targeted by ICE that should be neither locked up nor deported. This new contract would only further ICE’s mass deportation regime.

While it is good that DHS has placed any restrictions at all on how far back in time it can access location records, the limits are too narrow. Five years of location records will likely give law enforcement agents a detailed picture of someone’s life. And this is not a retention policy; the company can retain the records forever. The only limit is on DHS’ ability to query the data—and ICE can make exceptions to this policy and ignore the limits “if approved by a supervisor.”

The PIA requires the ability to audit DHS’ queries of the private database, but it does not create an audit for additions to a hot list. The document suggests that ICE will create a hot list that it will submit to the private database, which will automatically alert ICE if the plate is detected. DHS should require the same reporting for adding a license plate to the hotlist as it does for querying the database.

The PIA reminds the public that DHS still has no policy on the use of license plate reader systems that it owns and operates itself.

The PIA claims that two ICE field offices have current subscriptions to private LPR databases. This may be true currently but many more have had subscriptions or have attempted to get subscriptions.

Some positive notes from the PIA:

DHS recognizes that that license plate reader data is “Personally Identifiable Information” (PII). There shouldn’t be any doubt about this, but the International Association of Chiefs of Police disagrees.

The PIA suggests that investigators cannot query the database for a partial plate, or ask to receive a list of all license plates from a certain area or time period. This is an important protection that makes it harder for employees to conduct fishing expeditions.

The PIA recognizes that LPR data in aggregate may detail individual’s travel over time and provide details about an individual’s private life, such as frequenting a place of worship or participating in protest and meetings, thereby implicating constitutionally protected freedoms.

ICE says it will not be contributing data to the LPR database, and recognizes the importance of audits and accountability, and of regular review and "cleaning" of hot lists.

Anonymous

Anonymous

Anything that gets saved somewhere will eventually be abused. There should be no database. If a hot license plate is identified, there should be a notification with the relevant data attached to that notification.

Why does any information need to be saved? It's already bad enough that they're scanning en masse. If the government is dishonest, or if that system is hacked by a malicious third party, then once again, you have the exact same problems of abuse. The system should be built so there is no possible way that information could ever be saved. One-time notifications - that's it.

And they should build it with security against hackers in mind. They should assume that any number of hackers will want to compromise the system. They must assume they will always be trying to do this.

Anonymous

Anonymous

Anonymous

Please. The Government is dishonest. Just follow the money... some supplier of the scanners and computer database is lobbying ICE to pay for it on Taxpayer Dime. Time to Declare War on Public Corruption, Term Limit Republican Judges.

Vickey Wilson

Sad that we know this about hate and greed. Sadly we always know to Follow the Money, expect the hate, to expect Corruption as the status quo. This country is failing morally and the higher up In government the more hateful amd greedy it gets. We need anti-corruption laws. We need congressional committees amd intelligence services to stop acting like an kn estigation takes 6 damn months. Jeff Sessions should be in jail or atleast fired for perjury and Donald Trump should already be out of the WH, impeached for violating the Emoluments clause of the Constitution and for brazenly trying to turn this Country into Nazi Germany.